skip to Main Content

I’m currently trying to figure something out.
I have 2 AWS Accounts.
Account A has a bucket called my_awesome_files.
Account B has users, that would like to be able to see those documents in my_awesome_files.

I have the following policies and roles setup:

Account A (the one who has the bucket):
role: allow-account-b-access-s3-bucket-role
policy:

{
    "Statement": [
        {
            "Action": "s3:GetObject",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my_awesome_files"
            ]
        }
    ],
    "Version": "2012-10-17"
}

policy: (trusted entities)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id_account_b>:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Account B (the one who wants to have access to the bucket):
Has a user with this attached Policy:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<account_id_account_a>:role/allow-account-b-access-s3-bucket-role"
        }
    ],
    "Version": "2012-10-17"
}

If I read the documentation correctly, this should work.

Now to my questions:

  1. Is this indeed correct, or am I missing something?
  2. If it is indeed correct iam-configuration: Am I missing something with my laravel s3 config?

Do I need some special fancy configuration for it to get that it needs to assume that role or to make it work?
Currently, the filesystem config looks like this:

'my_awesome_files_bucket_config' => [
    'driver' => 's3',
    'key' => env('AWS_ACCESS_KEY_ID', 'xxxx'),
    'secret' => env('AWS_SECRET_ACCESS_KEY', 'xxxx'),
    'region' => env('DEFAULT_REGION', 'eu-central-1'),
    'bucket' => env('MY_AWESOME_FILES_BUCKET', 'xxxx')
]

2

Answers


  1. Chosen as BEST ANSWER

    So I kind of figured it out. The policies are correct, but laravel filesystem automatically does not assume roles (obviously) and I didn't find a way to configure it to do so. (This would actually be a nice feature to the Filesystem lib)

    So my solution was: using directly the AWS SDK to get the correct credentials, and then fetch the files from s3. This looks like this:

    $stsClient = new StsClient([
        'region' => 'eu-central-1',
        'version' => '2011-06-15',
        'credentials' => [
            'key'    => $access_key_id,
            'secret' => $secret_access_key ,
        ],
    ]);
    
    $sessionName = "s3-access";
    
    $result = $stsClient->AssumeRole([
        'RoleArn' => $ARN,
        'RoleSessionName' => $sessionName,
    ]);
    $access_key_id = $result['Credentials']['AccessKeyId'];
    $secret_access_key = $result['Credentials']['SecretAccessKey'];
    $session_token = $result['Credentials']['SessionToken'];
    

    Then the fetching of the file is as easy as reading documentation:

    $s3Client = new S3Client([
        'version'     => '2006-03-01',
        'region'      => 'eu-central-1',
        'credentials' =>  [
            'key'    => $access_key_id,
            'secret' => $secret_access_key,
            'token'  => $session_token
        ]
    ]);
    
    $private_file = $s3Client->getObject([
        'Bucket' => env('BUCKET_NAME'),
        'Key' => 'filename.txt',
    ]);
    

  2. No nothing about laravel, but at the AWS level the user in Account B has the permission to assume the Role, so it needs to go ahead and call something like sts.AssumeRole()

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search